In the field of security, there is a need for fast and secure encryption. This is why the AES (ADVANCED ENCRYPTION STANDARD), Federal Information Processing Standards Publication 197, Nov. 26, 2001) has been designed and standardized.
Software implementation of cryptographic building blocks, such as in WhiteBox cryptography, are insecure in the white box threat model where the attacker controls the execution process. The attacker can easily lift the secret key from memory by just observing the operations acting on the secret key. For example, the attacker can learn the secret key of an AES software implementation by observing the execution of the Key Schedule algorithm. This attack is thus important since it gives clues on the execution of the protected code to simplify the reverse engineering. As a result, it also enables to security attacks in the case of WhiteBox operations to retrieve the secret hidden within the WhiteBox operations.
For example, DRM (Digital Right Management) applications using fixed-key white box AES are one instance where it is desired to keep the attacker from finding the secret key used in the fixed-key white box AES even though the attacker has complete control of the execution process. A construction of the AES algorithm for such white box model has been described in Chow et. al. (Stanley Chow, Philip A. Eisen, Harold Johnson, Paul C. van Oorschot: White-Box Cryptography and an AES Implementation. Selected Areas in Cryptography 2002: 250-270). The security of this construction resides in the use of table lookups and masked data. The input and output mask applied to this data is never removed along the process. In this solution, there is a need for knowing the key value at the compilation time, or at least to be able to derive the tables from the original key in a secure environment.
However, this solution does not solve all the needs for block cipher's encryption and decryption. Indeed, the case where the key is derived through a given process and then unknown at the compilation time is not included. One typical use case is when a software program is distributed over several users and each of them has their own key. It is, from a practical point of view, impossible to disseminate different code to each user. Another use case is when generating session keys (different for each session) through a given process. Of course, in this case the key is unknown at the compilation time. A last use case is when it is necessary to store an abundance of keys. It is not reasonable to consider storing about 700 kB for each key.
Therefore, traditional implementations of white box cryptographic operations may be susceptible to attacks from attackers who have control over execution of the cryptographic operations.